Lenovo Superfish Adware Excuses Are Lame

Lenovo is downplaying the installation of Superfish adware on its notebook PCs. Here's why we think business and consumer users deserve better.

10 Hot Cities For IT Pros In 2015

(Click image for larger view and slideshow.)

Lenovo acknowledged that "some consumer notebook products" it shipped between September and December 2014 included adware called Superfish.

Businesses could be affected by Lenovo's disregard for its consumer customers. Any work-related information accessible from an affected notebook could be vulnerable. If you have purchased Lenovo notebooks for your employees -- or are aware of any users who may be accessing work-related data on their personal Lenovo devices -- you'll want to take measures to raise awareness about the dangers of adware.

Superfish is not alone in using what some industry observers view as dubious techniques to present ads. MIT has identified similar malware. And abuses of this sort go back for years. Remember Zango?

As Errata Security's Robert Graham explained in a blog post, Superfish is particularly bad as far as adware goes because it intercepts browser connections using a man-in-the-middle (MITM) proxy and installs its own root CA certificate so it can read even encrypted traffic. It does so to inject JavaScript into Web pages in order to serve ads.

Short of better consumer protection laws, and better behaved businesses, computer users should vote with their wallets. Don't buy products from companies that will compromise your security for a few extra dollars. And watch your back, because advertising and security are oftentimes incompatible.

Going forward, Lenovo has decided not to include the software with its products in any form, though the company insisted -- contrary to the views voiced by many computer security professionals -- that Superfish doesn't pose a security risk.

"We have thoroughly investigated this technology and do not find any evidence to substantiate security concerns," Lenovo said in a statement. "But we know that users reacted to this issue with concern, and so we have taken direct action to stop shipping any products with this software."

In a statement, Adi Pinhas, CEO of Superfish, endorsed what Lenovo said. "Superfish is completely transparent in what our software does and at no time were consumers vulnerable -- we stand by this today," Pinhas said. "Lenovo will be releasing a statement later today with all of the specifics that clarify that there has been no wrongdoing on our end."

Lenovo doesn't use the term "malware" to describe Superfish, but dissatisfied customers in Lenovo's forums do.

Some security professionals also use the term "malware," while others favor "adware." Given the prevalence of malicious ads -- RiskIQ detected more than 200,000 malicious ads on websites in 2014 -- it hardly seems worth the trouble to make a distinction. You don't want either on your computer.

Adware Backlash

In Germany, publishers are suing Eyeo GmbH because its software, AdBlock Plus, modifies their Web pages by blocking the JavaScript that presents ads. Enjoy the irony.

Whether or not German courts find ad blocking illegal, Superfish probably isn't illegal, because users agreed to install it. "Users are given a choice whether or not to use the product," Lenovo insisted in its statement. Whether that choice was clearly understood by consumers is a different matter.

The Electronic Frontier Foundation argued that Superfish's approach is not only inappropriate, but dangerous. "The use of a single certificate for all of the MITM attacks means that all HTTPS security for at least Internet Explorer, Chrome, and Safari for Windows, on all of these Lenovo laptops, is now broken," explained EFF's Joseph Bonneau, Peter Eckersley, and Jacob Hoffman-Andrews in a blog post. It turns out Firefox is affected too.

Anyone using an affected laptop could have his or her encrypted communications compromised by a network attacker using a copy of the Superfish MITM private key, which has been posted online. Lenovo's conclusion that Superfish presents no security risk is simply wrong. Pinhas's assertion that SuperFish is "completely transparent" defies belief.

In its statement, Lenovo digs itself deeper by noting: "The relationship with Superfish is not financially significant; our goal was to enhance the experience for users." So Lenovo tarnished its reputation and endangered its users for nothing? And if the goal was truly to enhance the experience for users, how could anyone conclude more ads would lead to a better experience?

Tell us what you think about the Superfish situation, and Lenovo's responses, in the comments section below.

Attend Interop Las Vegas, the leading independent technology conference and expo series designed to inspire, inform, and connect the world's IT community. In 2015, look for all new programs, networking opportunities, and classes that will help you set your organization’s IT action plan. It happens April 27 to May 1. Register with Discount Code MPOIWK for $200 off Total Access & Conference Passes.

Thomas Claburn has been writing about business and technology since 1996, for publications such as New Architect, PC Computing, InformationWeek, Salon, Wired, and Ziff Davis Smart Business. Before that, he worked in film and television, having earned a not particularly useful ... View Full Bio

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.

The Superfish incident and how Lenovo initially handled the matter is a study in How Not To Handle Unpleasant PR. I'm sure Lenovo will recover but its initial reaction (before its Tweeted mea culpa) was very telling as to its thought processes.

It's crazy the things a large company like Lenovo would do for a few extra bucks. Sure they'll claim the usage patterns are in the Terms of Service, but they know no one reads it. Now they're on their heels stating that the use isn't considered malware. How nice that they consider 'decrypting encrypted traffic' as a good thing.

I couldn't agree more about the timing. I wonder how much damage the Superfish fiasco will hurt the Lenovo brand, being now the world's largest computer maker.In any case, I read (on ZDNet) that just yesterday, Lenovo joined MIcrosoft and released a removal tool for it.

This could not come at a worse time for Lenovo, aspiring to become a global phone brand. 'Man in the Middle Attack' is well understood and comprehensible in the industry, so Lenovo will have a tough time to defend.

This proxy is a pain in the butt to get rid of. Some anti-mslware can detect it, but others not. And good luck trying to remove the proxy without knowing the culprit (program).In any case, I smell a big lawsuit if computers with the Superfish malware are getting compromised.

I use AdBlock Plus on my PC's which makes browsing faster and more enjoyable. I don't believe that stifling ads will cause free content to disappear. It hasn't hurt television and it won't hurt the internet.

Most people would opt for the ad-blocking services. Safari in iOS offers that. It hurts the publishers in short term. In longer term, it also hurts the users themselves as the business model of internet itself is powered by "free content with ads".

Makes no sense in targeting users with volumes of ads. I know it works as a click on an add is counted as a hit and many a time such ads have compelled me into buying stuff for my house that I otherwise would forget to buy. However ads need a content management procedure.

Lenovo's arrogance is just mind-boggling. I expect that they will be punished by the market, and I wonder if this is something the government can involve itself in, too? The whole thing makes me want to re-explore the idea of buying my next machine from one of the many ebay vendors that sell computers without operating systems at deep discount, and buying the operating system directly from Microsoft.

I believe Safari in iOS offers a "Limit Ad Tracking" setting, which prevents ad companies from targeting ads based on user behavior -- what's blocked is a unique identifier rather than the ad itself. But as far as I can tell, mobile Safari does not block ads.

As for ad blocking hurting users because the Internet runs on free content, that's debatable. We might just be better off if we had to pay for everything online. There would be less content, for sure, but the vast majority of that content would not be missed. Whatever survived would by definition be worth paying for.